Internet usage in 2020 is shaping up to be very different from how it was at the end of 2019. New research in DNS traffic shows where people have been spending their time online and uncovered previously unknown distributed denial of service attacks.
In an analysis of passive DNS cache miss levels for 316 online sites over a two month period, there was a massive “step up” in traffic volumes, Farsight Security said in its latest report. The company looked at daily DNS transactions across five industries—travel, transportation, retail, streaming video, higher education, and news and opinion sites—and found that many sites had an increase of as much as seven times the number of domain requests, suggesting that attackers may have attempted massive denial-of-service attacks during the study period.
DNS cache misses occur when the data fetched is not present in the cache—meaning there was a request for the address of a domain that was not present in the name server’s store of addresses. Since most users visit a limited number of sites regularly—such as Google, Facebook, Amazon, and Netflix—DNS cache makes looking up addresses more efficient for popular sites. It doesn't make sense for the ISP to repeatedly look up the same sites, so it stores the frequently-requested-queries in the local cache. Farsight Security used its DNSDB platform to count each day's DNS cache misses.
If the user's query is one for a name that hasn't been seen and cached recently, the recursive resolver must then chase down the information the user requires," the report said. "That's called a 'cache miss.'
Farsight Security said the volume of misses increased by four to seven times at the end of March and the beginning of April. Mid-to-late March, when the shift in DNS traffic became obvious in the data, coincides with the period when many states and countries issued stay-at-home orders due to the novel coronavirus pandemic. More employees worked from home, and many were laid off or furloughed from their jobs. Colleges and universities shifted their classes online, and online shopping soared. Business and leisure travel declined dramatically, and streaming video became the primary form of entertainment.
“The world we inhabit today is NOT the same world we inhabited at the end of 2019,” the report’s authors wrote.
Farsight Security said that the spikes in traffic could represent “denial of service (DDoS) attack traffic reflexively targeting some unrelated third-party site or sites.” However, the company also said there could be alternative explanations to explain the change in DNS traffic, such as the fact that users may simply be more active online, trying out new forms of entertainment, or developing new interests. Organizations may also be changing their services, such as moving to a content distribution network for increased capacity.
The purpose of the report was not to “attribute” or "apportion" the change in traffic levels, but to report on the “macroscopic phenomenon,” the company said.
"Having run the data, what we're seeing is more traffic in most cases, with some sites exhibiting spikes consistent with DDoS (distributed denial-of-service) attacks exploiting those sites," the report said.
The report includes plot of every domain the company analyzed, and the fact that something happened is unmistakeable. Many of the sites across industries showed a "step" pattern, indicating a significant increase in traffic volume. While some industries showed traffic spikes that could be explained by DDoS attacks, others were not so clear-cut.
For example, fewer people are making travel plans, so it would make sense that traffic to travel and transportation sites such as airlines would be low. However, many people may be hitting those sites in order to cancel pre-scheduled travel and obtain refunds or credits. The data showed more traffic, and some sites had "spikes consistent with DDoS Attacks," the report said.
The site for American Airlines, aa.com, had a significant spike on April 28: 37.3 million Start of Authority (SOA) queries for aa.com. In comparison, Farsight Security counted 54,564 SOA queries for aa.com on March 20. There were differences even within this category, as Air Asia, was fairly flat, with no spikes, and Austrian Airlines saw a small spike much earlier, in mid-March. Delta Airlines had an abrupt spike similar to American Airlines, except in early April.
The analysis uncovered at least two distinct reflective DDoS attack patterns among the sites: an attack purely associated with abusive DNS SOA queries, and another which combined abusive DNS SOA queries with abusive DNS TXT queries for wildcarded SPF redirect records.
Apple sites also saw over 18.5 million SOA queries on April 28, compared to 766,933 SOA queries on March 15. Apple sites also had a high volume of DNS TXT records, over 400 times normal levels. The majority of those TXT records were SPF-related, as Apple.com's name servers were set up with wildcards to catch and redirect random queries to _spf.apple.com
"We believe this may be getting exploited for pseudo-random subdomain DDOS attack purposes," Farsight Security said in the report.
Not every site showed a problem. Media site Forbes.com had a pretty consistent traffic volume during the first half of March, but in late-March, volume "abruptly 'steps up,'" Farsight Security said. Prior to April 1, Farsight Security counted about 61,342.7 queries a day for Forbes.com, but the counts increased by 5.5 times afterwards.
In this case, the number of DNS cache miss queries associated with login.forbes.com increased by a factor of 24 times, which suggests the site was providing more subscriber-only content and required readers to first log in. The number of DNS cache miss queries for aax.forbes.com, which seems to point to the site's online advertising platform, increased by a factor of nearly 11 times.
When the headlines are all about some new mass shooting or as in this case a virus pandemic, most of the DNS traffic related to those headlines will be due to fraudulent or criminal activity by those hoping to cash in on the public's attention," said Paul Vixie, chairman, CEO, and co-founder of Farsight Security. "Therefore, it is worth our time to study DNS traffic patterns during every global event, to characterize current abuses of the system and to predict future abuses.